14 November 2016

Who is who in the EU Security Directives?

I
have finished reading the Security
Directives for the European Union
last week, but I would like to highlight this time the
group of people and organizations that have
to work together to achieving a high common level of security of
network and information systems (NIS)
within the Union. Mainly, I have drawn the
main actors that play an important role in the European Union when an
incident takes place within the Union, as this is a significant fact
that involves incident reports from the bottom to up.

Reporting Hierarchy

OPERATORS
OF ESSENTIAL SERVICES

The first
thing that Member States have to do is to make a list of operators of
essential services to ask them for notifying incidents to the CSIRT.
What are essential sectors? Energy like electricity, oil and gas;
Transport; Banking; Financial market infrastructures; Health sector;
Drinking water supply and distribution; and Digital Infrastructure
like IXPs, DNS service providers and TLD name registries. This list
should be done by 9 November 2018.

DIGITAL
SERVICE PROVIDERS

As
operators of essential services, Member States have to identify
digital service providers as well, and these should report incidents
to the CSIRT too. What types of digital services they have to
identify? Online marketplace, online search engines and cloud
computing services. This list, along with the operators of essential
services, should be done by 9 November 2018.

CSIRT

Each
Member State shall designate one or more CSIRTs (Computer Security
Incident Response Team) with adequate resources to effectively carry
out their tasks. CSIRT can use the CSIRT Networks for cooperation and
to be able to do their tasks efficient and effective. This team
should be done, and performing their tasks, by 9 February 2017.

CSIRTs
NETOWRKS

The CSIRTs
Network is composed of representatives of the Member States' CSIRTs
and CERT-EU, where the Commission and ENISA also participate. Their
tasks are exchanging information, discussing and identifying a
coordinated response to an incident within the EU; provinding Member
States with support in addressing cross-border incidents; discussing,
exploring and identifying further forms of operational cooperation;
informing the Cooperation Group of its activities; discussing lessons
learnt; issuing guidelines in order to facilitate the convergence of
operational practices, etc.

SINGLE
POINT OF CONTACT

Each
Member State shall designate a national single point of contact who
exercise a liaison function to ensure cross-border cooperation. In
addition, this single point of contact should be able to consult and
cooperate with the relevant national law enforcement authorities and
national data protection authorities. By 9 August 2018, and every
year thereafter, the single point of contact shall also submit a
summary report to the Cooperation Group on the notifications
received, including the number of notifications, the nature of
notified incidents and the actions taken.

ENISA

The
European Network and Information Security Agency helps Member States
in developing national strategies on the security of NIS and in
developing national CSIRTs. Moreover, ENISA collaborates with the
Cooperation Group to exchange best practice between Member States and
helps them in building capacity to ensure the security of networks
and information systems.

COOPERATION
GROUP

The
Cooperation Group will support, facilitate strategic cooperation and
exchange information among Member States with the goal of developing
trust and confidence with a view of achieving a high common level of
security of network and information systems in the Union. By 9 August
2018, and every year and a half thereafter, the Cooperation Group
shall also prepare a report assessing the experience gained with the
strategic cooperation. In addition, this group, along with the CSIRTs
networks, shall begin to perform their tasks by 9 February 2017.

COMMISSION

The
Commission will submit a report to the European Parliament and to the
Council assessing the consistency of the approach taken by Member
States in the identification of the operators of essential services
by 9 May 2019. Moreover, the commission will also take into account
the reports of the Cooperation Group and the CSIRTs network on the
experience gained at a strategic and operational level for reporting
to the European Parliament and to the Council by 9 May 2021.

And
this is all we have till now. Next step?
Developing the Cooperation Group and CSIRTs by next February. We'll
wait for it.

Regards
my friends, drop me a line with the first
thing you are thinking!!!